Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft: Old Worm Copies Conficker for New Twist



 By: Brian Prince
2009-04-05
Article Rating:starstarstarstarstar / 2


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A new version of the Neeris worm is exploiting the same Microsoft flaw as Conficker. The Neeris worm dates back to 2005, according to Microsoft.

An updated version of an old worm is targeting the same Microsoft vulnerability exploited by variants of Conficker.

This time around, MS08-067a patched flaw in the Windows Server serviceis being targeted by a new variant of the Neeris worm. Neeris first appeared in 2005, but is now back on the scene with new functionality similar to the Conficker worm.

It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st, officials at the Microsoft Malware Protection Center stated in a blog post. However it was not downloaded by any Conficker variant and theres no evidence that its related to Conficker.Ds April 1 domain algorithm activation.

Resource Library:

Conficker.D is also referred to by other vendors as Conficker.C, Downadup.C and other names. The worm is estimated by many security researchers to have infected millions of PCs.

The new Neeris variant is detected by Microsoft as Win32/Neeris.gen!C. Earlier versions of the worm exploited MS06-040, which addressed a vulnerability in the same Server service as MS08-067.

If the exploit is successful, the victims machine downloads a copy of Neeris from the attacking machine using HTTP. In addition to the Server service exploit, it also spreads through AutoRun and adds the same "Open folder to view files" AutoPlay option that Conficker does.

Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger, according to the blog post. It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.

The new iteration of the malware tries to connect to a command and control server over Port 449. According to Microsoft, the server password it uses to log in was used by other bots last February. The malware adds itself to start every time Windows starts, and adds itself to the Safe Boot configuration as well.

Due to its similarity to Conficker, many of the same pieces of advice apply. Users should install MS08-067 if they have not already done so, and consider disabling AutoRun.

The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here, the blog post reads. But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each others 'products.'

 






  Reader Comments: Microsoft: Old Worm Copies Conficker For New Twist
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}v8sjS#[Nr[tgܣCQ2EIKOܗ{''7-%3']D ~vv$IG=!g4(ٝ9O ޚ%Tw>;sLk9UQ#CQSrĠ建>u˜صAz:pG;|9|@vD%SjNAM3g{FmW6g2z9ޭ3 fEg5h{=D@~,Z P8 {(Z= ?+B4eIXߢر7{Xe3g71m )*X^P~D;{NyЀk`V#w- -ǸZUX'[vB1BE8 ;wCJ3q򿹓'uڪ8NQp'F:tQ>D>8z v r4:a;6]dU~7P7n&3GdYoA.wQKvTmBO|lG?05OLErؗYG3fXqi ͡JZUQ by_)+www;9we{U gƨ?;Wʪ)~w>̑GA nnkp[J^׵Si_u{ݓ>~jkr m + o$& JDTRBp$" PcjCG'I^GoVS7B-hZAArIja>E4f‰EU}$vߔM-~k~:AN,sAT4 行ĠK`W:+4Zt\4/9utH}!)|v!pgs ZʟZr\? vgl M 4}GVK{S{|"޺xt>&9I Dz7?s`HmDi[ܺȑ\ yǛ+a(7`cM|`戒":sfͪ5V z[R}3@_x0ND97okcfIr(,eg{j MH:vfyM)o dz!CCZ9nVȨUSA%EI7CD rQ"`Q%u '|#8Jn.b? K#΃Ӱfeٜ%YWaF"G#-*<ǞOZǫV..~zi T364>P ,H!eݴ%稫榣V)ǦcWJPX=,‹ʾb(7Ztl 2XbXvPѱ>lA`:~g!>ё9Նm'!|emxZ.33ЍIXn`vtHa;Nh>[W <[ K!Pň00gwk9mLP"AЂMx>tw&>ld(4o)sɹsP&& zrWtcP{DE}vCρY' >)@}>\ lmV7-}hZ`1  JKm;r%FaA7Eأi?]Pv9B B!\0 H P ab .u@Gҹ3qjt_*kR1eb -x[b~ILg2+IɴaX9yDMf#T`B[ụLKak`DݜrA+żMCFfޙAkwYgдJzq8JREux.(J9Aw)` N 2|h <Ҁ!as`Ez . Z Hs}"T0|*UTˈ`nS@@kSU Փ.ZE^~~V%Ŵ谢zԘ{}Qː 0gxyd.NәZ JqtheU-UjRAgD+ϏyWE"IԀA_}ό95FN>+zM͠G>snAy >{Vv0eE>yLLZ<6}˰"U>5t!/cԧ8PȺU0UESU[+3؞?F]h6B\4!<}gS5 pf nWQ=KjJvg ` \7~ML n!VɕFZV?&IG{EY(,.>uP*jIIz,pEYbk5b iW&s\x&\_{sƋbo(Q^~TW"6)wD<7ϰ3}Nb i˴WՄθā0O[&IgYy!ڤiH@kX{PdFV5XI˴I> O0tG.ˤCGTTFogA"7P)߭q*hɹT.jZl[)Uʹw>"s41zAbzQ=Y @rrjT  eP.xt|V n#Mxh{$,8{Je%[ ir}c$ $"zR=.=2a7ZPf㜌t/x۹ ת)ln |J~Zg^p t,+?v~n7g}E_:it?v0yY}z֏R Ւ{%<jԾhq@JV%N/R8mc4.[-j2i&A)p]2|̮f}q*]whg筓~py- @@W~#tW %y;$틖u ߽o=rHpAjO/X G>9>o5ÏOM1k&05h8!k`&zikR_KٺĂ1 a՜$"j MN3$ne8\;mH19 ºUXHE`#P($T0r(`$X*XU2]7>G2syI6^SF(+bK)"$DY \egq/`Ac1:*:{_[a(kᷘo9?Oů1OkwtAh[(ktNz4& \1[INj?!4|㿜yQ$M "a]Zqnuz}@hDRB9kũ-xOӆO\eax!u- q%՝b"f BٸEO ,,-fSs S)Ҥ< AgJȄfye5)a5R!MLCYOC/$f;kB:Tzs giMN6mn3j;[/GX:[ .VH_8_`跏",G7lj9l0`&09˫b~]4_twfGڶ'c'<;NbG/syBO+f8 ,]:]7__lzǜGoIM21B? Pݘ~h=;0蚳 o.(cǩ-;oCD'wxFMy@uS意g 9rnnהŞa6 ݥovR8}'i?vݷ;޽¾"CWqjk:+@Nl"$$yUZ/WU3$]d% >Yx2M3}%3 =яKi^xΠt< 7{ {!F.501.s!T7?_eܰKw= =z .+-R!EkEwWUK 㒏W"E'%:#ڬ/ۥ{kY\dbQWٞg2~1OkO=reGћ;`!3ȑ +Ӡ9m&s{$;gr0G c*yx\]w71&P)<A~A< v4)[7y:Z}hn3d⫆܆~@F' ZYOXW+O2QFD5|{ rx );= /1g&o(#ڟ_KVMnc b |cI%%??=3q x ZГqi+Bq_pLI$X)n=EFJ}:3mXc[-!Բg}9uxtlhzvBy1;1v/ KSAZ< '*.huv.[ܭoVǟ;+BD> 1}vmqP{p9`b@InYD[N|2/,x@P 7MY"L<~`q9Pm& 1gaHwgAWAgNuM 9wRYn!VYMh4 TI@gqkJcuL$PvG,3ôVD;;/ n$ns&6xX:Y%Wޮ8)D( -0ަ)E~1qz}:ؘE$QIbhKm_K񨷤eX*B A$HlppG> B:DA{GMǯۍU vWּZ}<8AOKS7)(Y0=Ap<* 0 K`fPT)0x" MPsQ 'a׶5 MitZ1aXBy;xev?#3kͪ|)H*A: JZ|"Tr<m޼ ̸-"x4#Qc lz"}-2 |՟ tS /4eB/|U` zK`&I 3t@`H/0%9RXuY#-^¶N-#1 }[q DYmO㊺)^cܲ'NtBtXjM 0€a€CQ)X6B7{}w"*Vޔ/N\'-09})p3jP64axUJXA^NhCp5X~[4LHnokt%E۔*O( ua"leTh,<6JԖfTwaP!Fzb ZbxXZЬj[QLQZĒ;8VʕkIx@\ݣݣݣݣVJqX6c{Ų/ސq*,AA>zhR)ZƯ(^͐X5=Gy|s3D#Jv+x}e oi|_ֆtbV$%v݂*7ԄxW՜]+uZX*㠋5 8Kv8Cna`]E`GoH_y!ޞAlH"sӞ3a_$SFKS5tj3F(gх[5NVqC 8K$Nb{$Ool_WAlHv6.:Ѳ+Ǹu5l@d{k> Im-qa7!y<×q45Y _O7sgфI#WHX}!~1ZԊ# VpB>HuJiٳ@`~r>:w^ 3|}JCH_ko6Fվ/3n>H2kݺ d'S0%GT:(vH̀B$yD C۰R&~+$ġ[ ]/9[H< 0) ,zA-$ `7C/[y/KNGP(\:#4fl^G*4_QK+IXa5~%]Rǵ(OJ౎7îOB@Ro:_o&c֌Zd„94@1 h<.^F8shwre qCHK'{U,x5JCGVY ˳3w6eI@}i˼q i |ݖ˷3SҽV2uLZ!9rˮ~i_1 φP T1q3 븺e}%.⛽M2Ċ#ķjn7 L/2M`Yy7W*DyGM l߼!٩LfbDRso Z!ߤ̢m_mO(ʼU_tׅ dUoko9t)۬R2ײWbr,MIӼNà=z ƗY'֤ [IHgs;WP5EX1̭,ednXt+J^$n` =yT\8#@{9^Lu'|O/Em/4P<[]_U@kXbw2$~M -{8S~xr1LCv1Y6l3"|8?auÍ PNũ߱yxH]S`n+ƵVxrz9T':| ך)cv4$} Opl Rov za@amIY`,h6Wv`im!۟`n2y+e9q{1{ga),*ǝR9s/ǝږSPI\y|֏" ~50Vq7/Rd7'w|{ݴ0ek)G>?Dw-A:^o? nbu+f]Ԑ5|51 '>d׳ 8ZP^=ˢǏ;KDNt1Q+"x]MPVôL_O]ILa!-(!-DȮqaIzŽL&sLj$r9y4ꊚbMm@`¸~ODZ@ O^a)qc) +px΃L,!"n/͛I~1O40cS,^4𖭐J11ǜS;O\(.HQ,:-~e=^^@FwS3 n oTJ9t[`ɣ.j"+% JD->&}ŨtV֣g5̈Gbv av̈́󄾋7Zz9Z<HsS577Z}j+'11h pK9cjqRb?XعZS԰p-|ri?*ܪzB9w,IfjRvw^ՔV-U)4r"BO .xړGF^Gn?2RI+[g=qFeTt3mS -.5Lg~R߈uX{0oadxd=- GrEu,?`(;R3ZNpxu!.-<_!Ƙ" TTbЍB1˪M;InP}wY?e=` '^fsB {=Ll~G#hM,{|U:Ag|%w[RG7-N>KY6po¨`*ÇMA+WTD~h:Mx\Hu /1a<{Dn2K= o~{@\r qaV roEVIz# ,@G E슍\abB p[C}N.Z׽VߺꡇU Ci6&7u..a}ti0XtQa !'@vQ]Q 03Bxt'l.c갋:?rar>~ᜭ#+^bʑf,R~cZ.zʾRE1 `8*gj9T KPL 2@: xE {Wnrj5-i`I;@rsfIA!#cJ 00mÚ3bQP۠{Q=۾dlUo%P`qT|8snj=J<|2~ _%RSK3QE,D "}nA=bAa~NJ%TJTmn$>9֛[xwF:Lma`t.ƒ2,GAn25:bAPn 0YK7`C'[jEY|ob{` ?%#غ9P;.3޿x *~z0^{0^@ # 埲a|2 )P~U{AuF@ugK\8=Rer z)A^d_~*%IF>gȳ+z7^˰s=ce_/ˀq}ym&R+ ]Q%5Mk[I2}ח c|U(X2M*#(^>&c˼_VPw;]SҤ]j. {%])7[O'ikr(s<2g!h{42'f[ !3F j{ %YØ/ܻ Gz‰nQ! /L2~4̊lOAptrmîpݮ' 5OnsOkr>uxvY^]YT_;Yo)P.CZ:y}³2SwفGh O WY-Jaġ]= =or܌3XZii]]4{hgdAMedz37US !Pio0dp= .ʼn*|t5pÅ͹qg8L ;J墦 V˕R;qG+B$ô{(&0#&T_$`rX엊r(RB4|OӴW)Y7 yVi8an%[C DK(xx=*ۼx0,{|yN ڎy@7 J,w;D@.^s#m|LڸAÆo^Ėٵv"n<4wz:ml:@4ǭaƹr݂xql4@[4wB/`-&W \=wWp*taxAptSY/hpx7/޺FFY"wrd9GU Z#NqH8݈8sx2&6 u;9&c3{P3xX8 7t ճVmb U]ݎ:SW'/Հ`m_ 8iX3&?cWIId .e?D6?,q?i"r]6M b ه%?1ɫo o=`&IϐR8;͞#10:hqjF߮eh#IM &Ah&.W5b8gCbwBZ9= S%JuF*HԲ'x*D^|˼+AўYn0w>L%/#]ZDc`Wpۂ{S-Urcd+{f:ePEXl+AEk,^rXѻ$'Ps:hՆG0ޏq[7Pl@xS b Gm;q3r4M ѨpCTؖEd3^m7u ۲|ږa=vks`cΜ U  =[=܋;}c\:1F`w^=͓ lI12#, $8jVI;;a0&iE-㨤t`C v_ʉ~ph[?҈>A wVǰ>BO7 SoO80Ux|-h\l}[xt,x0#ŸEr,ŀ~Y´Bd+KW̱0_^5El݂*Ԉc-hsFsq7MSga+cPXjcL1G],@<փ LW{څGQlv* X>!ˣŬe]+N%t&vж?TFa$:R3 KEj Z.t3\0xqBaʩȩ(v}_\%hw2b5ŠӞ_yfOȅv0,#ֿĊN|]t1NʓE_:itxH%Dn{`gg^VXvQJe